[6385] in Kerberos
Can Kerberos help here?
daemon@ATHENA.MIT.EDU (Tony Baxter)
Wed Dec 20 21:42:00 1995
To: kerberos@MIT.EDU
Date: Wed, 20 Dec 1995 16:51:42 GMT
From: Tony.Baxter@bris.ac.uk (Tony Baxter)
We are a fair-sized UK University. Our undergraduate intake is of the ordet of
2500/year. Over the last few years, undergrad computing and email has spread
rapidly from just science/engineering to cover the whole academic spectrum.
Organizing computer registrations (and deregistrations) has become a major
hassle, and The Powers That Be have decreed that there will be A Central
Registration Database. Yours truly has been told to find if Kerberos can
assist in this.
I've been lurking here for a while and reading what stuff I can find. With
assistance from a Unix guru, I have made a working Kerberos authenticationn
server, so we can get the technology to work in principle.
I understand the proper user workstation/Kerberos authentication
server/compute server model, and want to solicit opinions from the community
on the following scenario.
Network security is NOT currently seen as a major issue (the majority of the
network is implemented in UTP and eavesdrop-protecting hubs). User
workstations are a heterogeneous lot (more than 3000 IP numbers issued)
ranging from DOS 286-based system through various flavours of MS Windows, a
sprinkling of Macs and a number of high-end Unix workstations. The Computing
Service's central servers are all Unix boxes from several manufacturers.
Faculty-run machines certainly include VMS, and may include others.
We do not have the necessary resources to Kerberize all workstations on the
timescales proposed: indeed I suspect that it's not possible for DOS boxes (I
await correction :-). Current access methods for most of the servers is via
Telnet clients on the workstations, and some IMAP mail clients.
What we are wondering about doing is to modify the Telnet responder on the
host machines to attempt to authenticate against a central Kerberos server,
and if this authentication succeeds, then use the local passwd file as
authorisation to use this particular machine.
This meets the requirement to have registration information in one place,
gives consistent passwords for those people with registrations on multiple
machines and sounds like a reasonable starting point for doing proper
Kerberization at a later stage.
Now the $64 question: leaving aside the network security problem, why won't it
work? What should we be doing differently?
Answers on an email, please, and I'll summarize to the group after Christmas.
With thanks in advance,
Tony RFC822: Tony.Baxter@bristol.ac.uk
X.400: G=Tony;S=Baxter;O=bristol;P=UK.AC;C=GB
Comms bod, general dogsbody Phone: +44(0) 117 928 7850
Bristol Univ Computing Service, Switchboard: +44(0) 117 928 9000 ext 7850
Tyndall Ave, Bristol, BS8 1UD. UK. Fax: +44(0) 117 929 1576
